The U.S. Internal Revenue Service (IRS) said this week that beginning in 2021 it will allow all taxpayers to apply for an identity protection personal identification number (IP PIN), a single-use code designed to block identity thieves from falsely claiming a tax refund in your name. Currently, IP PINs are issued only to those who fill out an ID theft affidavit, or to taxpayers who’ve experienced tax refund fraud in previous years.
Tax refund fraud is a perennial problem involving the use of identity information and often stolen or misdirected W-2 forms to electronically file an unauthorized tax return for the purposes of claiming a refund in the name of a taxpayer.
Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.
Many of the reasons why refund fraud remains a problem have to do with timing, and some of them are described in more detail here. But the short answer is the IRS is under tremendous pressure to issue refunds quickly and to minimize “false positives” (flagging legitimate claims as fraud) — even when it may not yet have all of the information needed to accurately distinguish phony filings from legitimate ones.
One way the IRS has sought to stem the flow of bogus tax refund applications is to issue the IP PIN, which is a six-digit number assigned to eligible taxpayers to help prevent the use of their Social Security number on a fraudulent income tax return. Each PIN is good only for the tax year for which it was issued.
But up until now, the IRS has restricted who can apply for an IP PIN, although it has over the past few years issued them proactively to some taxpayers as part of a multi-state experiment to determine if doing so more widely might reduce the overall incidence of refund fraud.
The IRS says it will make its Get IP PIN tool available to all taxpayers in mid-January. Until then, if you haven’t already done so you should plant your flag at the IRS by stepping through the agency’s “secure access authentication” process.
Creating an account requires supplying a great deal of personal data; the information that will be requested is listed here.
The signup process requires one to validate ownership of a mobile phone number in one’s name, and it will reject any voice-over-IP-based numbers services such as those tied to Skype or Google Voice. If the process fails at this point, the site should offer to send an activation code via postal mail to your address on file.
from Krebs on Security https://ift.tt/36E4qpW